With the introduction of Bring Your Own Device (BYOD) policies into corporate and government enterprises, there is much concern about whether the device user is in fact the device owner, or authorized user, and whether the user has permission to access and manipulate enterprise data (from an enterprise server) held on the device. This same concern is present in mobile payment systems, where there are more and more cases of fraudulent card use and identity theft, which cost the banks and the consumer billions of dollars annually. These are very realistic concerns since about 5% of mobile devices and personal digital assistants (PDA's) are lost or stolen each year and counterfeit cards, created from illegally obtained, large lists of existing card numbers, are being used to defraud banks and the consumer. Many of the mobile devices and payment cards are not protected from fraudulent use by any method which would meet the requirements of a security-conscious organization. If the enterprise insists upon the user protecting the device (and access to the enterprise server) with a complex, changing password, the user resists this because of the difficulty of remembering and entering the password. If the device is protected by just a 4-digit PIN, this can be easily hacked in less than a minute or two, with a brute force attack. Many devices are not protected at all and the mobile device or payment card, falling into wrong hands can be a personal or corporate disaster or both.
Increasingly now, payment systems involve a mobile device or a POS terminal with electronic signature capture and may involve an integrated circuit payment card to “identify” the user. However in the event the card is a counterfeit copy or if it or the mobile device has been lost or stolen, a PIN, on its own, provides little defense.
Software solutions, based upon biometrics and other methods, do not necessarily solve the problem, since mobile device and POS terminal software can be changed by malware introduced by nefarious entities.
This invention solves the problems of:                1) Tying the user to a mobile device or Integrated Circuit card with a very high probability        2) Asserting a trusted mobile device ID or Payment card ID using hardware elements of the mobile device, an ASIC or IC component        3) Releasing trusted credentials or an authentic signature to a relying party        4) Providing strong encryption for data at rest and in transit        5) Providing tamper-proof software applications.        
The invention addresses the implementation of hardware rooted mobile device ID generation and user identity verification, through biometric means incorporated into the Mobile Device itself, or into an Application Specific Integrated Circuit (ASIC) device, on or connected mobile device. It can also be applied to the integrated circuit of an IC chip card integrated into or connected to a stand-alone computing device. The functions are accompanied by software signing techniques with a local biometric template, and data encryption to help ensure a secure operating environment for the mobile device or IC payment card. The stand-alone computing device may be a POS terminal with an integrated IC card reader and signature capture capability, or a consumer mobile device.
The following description extracts salient parts of U.S. patent application Ser. No. 12/931,340, and adds to it new and improved aspects to create this application. The application includes the almost identical specification and drawings forming the basis of application Ser. No. 14/198,695 with different claims and is a Continuation of application Ser. No. 14/198,695.
1. Field of Invention
The invention described herein is related to using biometric data samples, user knowledge of secret numbers, device hardware ID data and encryption in a cooperative manner to authenticate users of mobile devices, stand-alone computing device users and users of integrated circuit cards, to enable storage of secure encrypted biometric templates and to provide the basis for them to be accepted as trusted devices to local or remote computers or servers without the need for the user to remember and enter complex passwords. Biometrics can be used in a local (to the mobile device) context, where the biometric template is held locally. Alternatively they can be used for remote authentication where the Biometric template is held on a server. In this latter case there is a National and International Standard for the exchange of biometric data as described in the Common Biometric Exchange File Format (CBEFF) standard. The term mobile device in this specification refers to any stand-alone computing device that is generally used in a portable manner and the terms mobile device and stand-alone computing device are used interchangeably.
The invention is described in the context of biometric data, and particularly signature/sign data, which is rotated to a consistent angle of inclination prior to feature extraction according to the patent application Ser. No. 12/627,413—now U.S. Pat. No. 7,916,907 and is applicable to any image-based biometric modality.
The invention combines the use of biometrics and a PIN to release complex passwords, with a hardware root of trust based upon an ASIC contained within the mobile device, or based upon the hardware characteristics of the mobile device itself, to provide authentication of and secure access for mobile device users to mobile devices, secure networks and enterprise servers. It is also used to identify users of Integrated Circuit Payment Cards. It uses the complex passwords, based on hardware roots, to generate strong encryption keys to protect the mobile device data and the biometric template, which is used to authenticate the user against a biometric sample submitted on the mobile device or stand-alone computing device. This is achieved by using a special sensor on the mobile device or stand-alone computing device, or capturing user input from already existing mobile device or stand-alone computing device hardware, such as a screen digitizer (with a stylus or a finger input), or perhaps a mouse, camera, microphone or finger-print sensor.
2. Description of Prior Art
This invention is an improvement over software based solutions, which can be compromised by malware, especially on mobile devices with open source software. Beatson et al. in U.S. patent application Ser. No. 12/931,340 (now U.S. Pat. No. 8,842,887) describes a strong method, which is predominantly a software solution, using a hardware root of trust based on the mobile device UUID. The UUID is actually calculated via a software routine which could be compromised by malware introduced into the mobile device or stand-alone computing device software. The current method further improves mobile device security. Many biometric systems rely on the existence of a remote biometric template that is outside the immediate control of the user and could be compromised without the user being immediately aware of the fact. The local template of this invention, held on the mobile device, the ASIC or the IC chip of the payment card, puts the template control back in the hands of the user and thereby enhances the user's privacy as well as increasing the overall security of the mobile device and the payment card system.
The Trusted Computer Group is developing a Mobile Device Module similar in function to the Trusted Platform Module (TPM) used in many computers today but the method does not include any definitive biometric solution based upon a local biometric template. The current invention will enable the user to authenticate to the TPM by releasing a complex password to it. In addition the invention will combine all the necessary ingredients to create a trusted mobile device system, adding significantly to existing mobile device trust so that they can be used in a BYOD context, to connect to enterprise servers, improve the productivity of mobile workers and help to reduce payment card fraud and identity theft.
Today, there are billions of mobile devices in operation, most of which contain much sensitive, private and/or confidential information which is at risk in the event the device is lost or stolen. Mobile devices in this category include, but are not limited to Cell Phones, Smart phones Tablets, PDA's, laptops and other mobile devices. Following the introduction of capacitive finger touch and stylus sensitive Point-of-Sale (POS) terminals introduced in the early-mid 1990's which captured the electronic signatures of customers, there has been unprecedented growth in (finger) touch sensitive mobile devices sparked by the introductions of the iPhone, Android-based mobile devices, the iPad and Windows 10 Mobile devices, which can all use capacitive screens for stylus or finger input. These mobile devices are very attractive consumer mobile devices and consequently, there is more pressure than ever for Enterprises to allow them to connect to corporate networks, particularly for email and cell phone use, and for banks to allow them to be used as on-line payment instruments. Connection to corporate networks for other purposes than email is allowed by some enterprises, whereas other enterprises choose not to allow such access because of the security risks involved—Is the mobile device user really the mobile device owner? The data accessible to these mobile device users (owners or not) contain, at least, highly confidential personal information, which could be used for financial payment card fraud, identity theft or for other nefarious purposes and, in other cases, confidential personal and corporate data which could be highly detrimental to the corporate entity if it came into the public domain. For government workers and the military, if these mobile devices fall into enemy hands or into the hands of foreign Governments and they do not have suitable protection the mobile devices can be detrimental to National Security
Most of these mobile devices, if they are protected at all, rely upon the submission of a password, or just a simple PIN to gain access to the mobile device. The PIN, on its own, although relatively user friendly, is very insecure. It can be passed on, guessed, overseen at entry, or easily generated through a brute force attack (an automated attack based upon submitting sequential PIN values until the correct one is found). A four digit PIN will succumb within a minute or two to this form of attack. Depending upon the password, this too can be insecure for the same reasons. If the password is sufficiently complex to provide sufficient security (e.g. a regularly-changing, randomly-chosen eight-character string consisting of lower case, upper case, numeric and special characters) the password becomes difficult to remember and enter, especially on small mobile devices and is very user unfriendly. As a result of the inherent lack of security associated with the mobile devices many of them are not allowed to connect to their enterprise networks and this severely restricts their usefulness.
Over the last fifteen years or so and particularly since 9/11 there has come a realization that authentication systems based upon password entry at the keyboard or on the device are particularly vulnerable to unauthorized and unfettered access from many different sources and are particularly user-unfriendly. This despite increasingly sophisticated encryption methods and algorithms. The science of Biometrics promotes the capture of samples of biological properties or behavioral characteristics of individuals and extracts measurable features from the samples to be compared with stored templates. The science has made much progress in the last few years and there are now many such systems in situ protecting access to physical and logical assets by ensuring that access rights are granted only to authentic individuals and denied to imposters. Image-based biometric systems, which use Fingerprint and Palm patterns, Face and Iris patterns, Hand Geometry and Vein analysis, etc., are all in use or under current development. Dynamic or behavioral biometric systems, which introduce the dimension of time into the sample analysis rely upon the submission of stylus or finger-based Signs or Signatures and Voice or Keystroke patterns and are also being used for similar applications. The behavioral biometric technologies have several advantages over systems based purely upon physiological imaging technologies. For example, they offer the possibility of user-chosen, secret-based templates preserving privacy, increasing performance and allowing template revocation and replacement in the event of compromise.
This invention uses a method of obfuscating a password, storing it and protecting it in such a way as to make it extremely difficult to extract. This password may then used to generate symmetrical encryption keys to protect the template and other data at rest (DAR) on the mobile device.
One of the major issues in using biometric systems for protecting access to mobile devices has been the problem of protecting a local biometric template from being extracted from the mobile device in the event of its loss or theft. If a password based encryption key is used then the system access is again reliant upon the entered password. One of the inherent properties of biometric samples is that successive samples from the same user are never the same, although they might be very similar, especially in the case of image based biometric samples. Consequently the sample cannot be used to generate a constant encryption key without some degradation of performance of the overall biometric system.
References associated with the parent of this Continuation application have discussed other systems that attempt to do this and there have been other systems and patents also trying to accomplish the difficult task of successfully obfuscating passwords. Transaction Security, Inc., Beatson & Kelty, in 2003, developed an unpatented system, called PDA-Protect®, which was beta-tested by Microsoft. This was documented in a Press Release dated May 27, 2003 entitled “Transaction Security, Inc. Unveils Crypto-Sign™ Biometric Software for The Mobile Workforce”.
This was a very early prototype and, although it released an obfuscated password, it did not protect it or the biometric template fully. Johansson et al. in U.S. application Ser. No. 10/990,798 (filed Nov. 17, 2004) proposes an asymmetrical key pair approach but this makes the encryption computing and key management very burdensome. The current invention advocates a system that relies upon a symmetrical encryption process such as the Advanced Encryption Standard and key definition and management is an important aspect of the process.
In addition the current invention advocates a solution incorporated into an IC chip, which uses a Chip ID rooted in the Chip hardware, which can be used to securely store an electronic representation of the user's signature as well as the biometric template. It also contains code incorporated in the IC Chip, to provide a biometric matching capability for signatures submitted on POS terminals. An IC Card-based signature system was proposed in 1996 (by two of the current authors of this application) in U.S. Pat. No. 5,892,824. However that system relied upon the release to the POS terminal of the biometric template and this would be considered insecure today.
This application proposes a system and methods to:
a) Securely authenticate the user to the mobile device by automatically releasing a password to the mobile device authentication system in response to a matched biometric sample and a correct PIN.
b) Authenticate the user and the mobile device to a remote computer or server to provide a trusted mobile device system.
c) Remove the need for the user to remember and enter complex passwords, whilst retaining the benefits of complex password infrastructure for authentication and encryption.
d) Encrypt the biometric template and other data on the mobile device or payment card IC chip without the need to enter a complex password.
e) Automatically generate strong encryption keys for mobile device data and template encryption and to protect secure data communications between the mobile device and a server.
f) Release trusted credentials, including electronic signatures, to provide proof of authorship for transactions and electronic documents, especially for Point of Sale transactions